3.2, 3.0.6, 2.22.6, and 3.3.1 Security Advisory

Feb 2, 2009

Summary
=======
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
This advisory covers three security issues that have recently been
fixed in the Bugzilla code:
* It was possible for users to upload a malicious attachment to
that would run in the context of Bugzilla's domain (thus
circumventing cross-site request protections in browsers).
* Bug updating was vulnerable to a cross-site request forgery.
Note that this issue was only fixed for 3.2.1 and 3.3.2 even though
all versions of Bugzilla are affected (see below for an explanation).
* Keywords, unused flag types, and saved searches could be deleted via
cross-site request forgery. Also, a user's preferences could be
changed via cross-site request forgery.
All affected installations are encouraged to upgrade as soon as
possible.
Vulnerability Details
=====================
Class: Abuse of Functionality (Attachments)
Versions: Every version before 2.22.7, 3.0.7, 3.2.1, or 3.3.2
Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: Bugzilla users can upload HTML or JavaScript attachments
that are then viewed by other users in their web browsers.
A malicious user could trick another Bugzilla user into
viewing a malicious attachment that could then operate
as that user. Since Bugzilla would view attachments
using the same domain name as the rest of the application,
such malicious attachments could access the cookies of
the user and perform other activities usually restricted
by the cross-site request protections of web browsers.
Bugzilla now provides a two-fold solution to this problem:
Bugzilla 2.22.7, 3.0.7, 3.2.1, and 3.3.2 now prevent
users from viewing attachments in their browsers, by
default. There is a new parameter named
"allow_attachment_display" that administrators can enable
to override this protection.
Once this parameter is turned on, Bugzilla 3.0.7, 3.2.1,
and 3.3.2 allow administrators to specify that attachments
should be viewed using a different domain. This increases
safety for the end user by enabling the browser's
cross-domain request protections.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=38862
https://bugzilla.mozilla.org/show_bug.cgi?id=472206
Class: Cross-Site Request Forgery
Versions: Every version before 3.2.1 or 3.3.2
Fixed In: 3.2.1, 3.3.2
Description: Bug updating was vulnerable to a cross-site request
forgery, because it did not validate that calls to
process_bug.cgi actually came from Bugzilla.
Bugzilla now generates a token that is validated when
process_bug.cgi is called. This may break automated
scripts that call process_bug.cgi directly, unless they
first load show_bug.cgi to get a valid token.
Unfortunately, a fix for this issue was only possible for
3.2.1 and 3.3.2. Fixing it on earlier branches would have
broken Bugzilla's mid-air collision functionality.
It should be noted that this issue actually was not a
secret--it has been public knowledge for quite some time.
It is only included in this security advisory to note that
a fix is now available.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=26257
Class: Cross-Site Request Forgery
Versions: All Versions (for keywords and user preferences), 2.17
and higher (for flags), 3.0 and higher (for saved
searches)
Fixed In: 2.22.7, 3.0.7, 3.2.1, 3.3.2
Description: When deleting saved searches, keywords, or unused
(never set on any bug or attachment) flags, or when a user
updated their preferences, Bugzilla did not properly
validate that the request came from Bugzilla. So, it was
possible to trick a user into click on a link that would
perform these actions without their consent.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=466692
https://bugzilla.mozilla.org/show_bug.cgi?id=466748
https://bugzilla.mozilla.org/show_bug.cgi?id=472362
Vulnerability Solutions
=======================
The fix for the security bugs mentioned in this advisory are included
in the 3.3.2, 3.2.1, 3.0.7, and 2.22.7 releases (though certain issues
are only fixed for certain versions, as noted above). Upgrading to a
release with the relevant fix will protect your installation from
possible exploits of these issues.
Full release downloads, patches to upgrade Bugzilla from previous
versions, and CVS upgrade instructions are available at:
https://www.bugzilla.org/download/
Credits
=======
The Bugzilla team wish to thank the following people/organizations for
their assistance in locating, advising us of, and assisting us to fix
these issues:
Frédéric Buclin
Stephen Lee
Jesse Ruderman
Terry Weissman
Max Kanat-Alexander
Teemu Mannermaa
Mozilla Corporation
General information about the Bugzilla bug-tracking system can be found
at:
https://www.bugzilla.org/
Comments and follow-ups can be directed to the mozilla.support.bugzilla
newsgroup or the support-bugzilla mailing list.
https://www.bugzilla.org/support/ has directions for accessing these
forums.